Google uses AI technology to translate content into your preferred language. AI translations can contain errors.
角色和權限
Cloud de Confiance by S3NS 提供身分與存取權管理 (IAM) 功能,可對特定Cloud de Confiance 資源授予更精細的存取權,避免未經授權者存取其他資源。本頁面說明 Service Directory API 角色。如需 IAM 的詳細說明,請參閱 IAM 說明文件 。
IAM 採用最小權限原則 ,可確保您僅授予使用者必要的資源存取權限。
設定 IAM 政策後,即可控管「哪些人」
權限與角色
每個 Service Directory API 方法都需要呼叫端具備必要的 IAM 權限。您可以將角色授予使用者、群組或服務帳戶,藉此指派權限。除了基本角色擁有者、編輯者和檢視者外,您還可以將 Service Directory API 角色授予專案使用者。
權限
如要瞭解每種方法需要哪些權限,請參閱 Service Directory API 參考文件 。
角色
Role
Permissions
Service Directory Admin
(roles/servicedirectory.admin )
Full control of all Service Directory resources and permissions.
resourcemanager.projects.get
resourcemanager.projects.list
servicedirectory.endpoints.*
servicedirectory.endpoints.create servicedirectory.endpoints.delete servicedirectory.endpoints.getservicedirectory.endpoints.getIamPolicy servicedirectory.endpoints.list servicedirectory.endpoints.setIamPolicy servicedirectory.endpoints.update
servicedirectory.locations.*
servicedirectory.locations.getservicedirectory.locations.list
servicedirectory.namespaces.*
servicedirectory.namespaces.associatePrivateZone servicedirectory.namespaces.create servicedirectory.namespaces.delete servicedirectory.namespaces.get servicedirectory.namespaces.getIamPolicy servicedirectory.namespaces.list servicedirectory.namespaces.setIamPolicy servicedirectory.namespaces.update
servicedirectory.networks.attach
servicedirectory.services.*
servicedirectory.services.bindservicedirectory.services.create servicedirectory.services.delete servicedirectory.services.getservicedirectory.services.getIamPolicy servicedirectory.services.listservicedirectory.services.resolve servicedirectory.services.setIamPolicy servicedirectory.services.update
Service Directory Editor
(roles/servicedirectory.editor )
Edit Service Directory resources.
resourcemanager.projects.get
resourcemanager.projects.list
servicedirectory.endpoints.create
servicedirectory.endpoints.delete
servicedirectory.endpoints.get
servicedirectory.endpoints.getIamPolicy
servicedirectory.endpoints.list
servicedirectory.endpoints.update
servicedirectory.locations.*
servicedirectory.locations.getservicedirectory.locations.list
servicedirectory.namespaces.associatePrivateZone
servicedirectory.namespaces.create
servicedirectory.namespaces.delete
servicedirectory.namespaces.get
servicedirectory.namespaces.getIamPolicy
servicedirectory.namespaces.list
servicedirectory.namespaces.update
servicedirectory.networks.attach
servicedirectory.services.bind
servicedirectory.services.create
servicedirectory.services.delete
servicedirectory.services.get
servicedirectory.services.getIamPolicy
servicedirectory.services.list
servicedirectory.services.resolve
servicedirectory.services.update
Service Directory Viewer
(roles/servicedirectory.viewer )
View Service Directory resources.
resourcemanager.projects.get
resourcemanager.projects.list
servicedirectory.endpoints.get
servicedirectory.endpoints.getIamPolicy
servicedirectory.endpoints.list
servicedirectory.locations.*
servicedirectory.locations.getservicedirectory.locations.list
servicedirectory.namespaces.get
servicedirectory.namespaces.getIamPolicy
servicedirectory.namespaces.list
servicedirectory.services.get
servicedirectory.services.getIamPolicy
servicedirectory.services.list
servicedirectory.services.resolve
Service Directory Network Attacher
(roles/servicedirectory.networkAttacher )
Gives access to attach VPC Networks to Service Directory Endpoints
resourcemanager.projects.get
resourcemanager.projects.list
servicedirectory.networks.attach
Private Service Connect Authorized Service
(roles/servicedirectory.pscAuthorizedService )
Gives access to VPC Networks via Service Directory
resourcemanager.projects.get
resourcemanager.projects.list
servicedirectory.networks.access
Service agent roles
Service agent roles should only be granted to service agents .
Role
Permissions
Service Directory Service Agent
(roles/servicedirectory.serviceAgent )
Give the Service Directory service agent access to Cloud Platform resources.
Warning: Do not grant service agent roles to any principals except
service agents .
container.clusters.get
gkehub.features.get
gkehub.gateway.delete
gkehub.gateway.generateCredentials
gkehub.gateway.get
gkehub.gateway.patch
gkehub.gateway.post
gkehub.gateway.put
gkehub.locations.*
gkehub.locations.getgkehub.locations.list
gkehub.memberships.get
gkehub.memberships.list
resourcemanager.projects.get
resourcemanager.projects.list
servicedirectory.endpoints.create
servicedirectory.endpoints.delete
servicedirectory.endpoints.get
servicedirectory.endpoints.getIamPolicy
servicedirectory.endpoints.list
servicedirectory.endpoints.update
servicedirectory.locations.*
servicedirectory.locations.getservicedirectory.locations.list
servicedirectory.namespaces.associatePrivateZone
servicedirectory.namespaces.create
servicedirectory.namespaces.delete
servicedirectory.namespaces.get
servicedirectory.namespaces.getIamPolicy
servicedirectory.namespaces.list
servicedirectory.namespaces.update
servicedirectory.networks.attach
servicedirectory.services.bind
servicedirectory.services.create
servicedirectory.services.delete
servicedirectory.services.get
servicedirectory.services.getIamPolicy
servicedirectory.services.list
servicedirectory.services.resolve
servicedirectory.services.update
使用 Cloud de Confiance 控制台控管存取權
您可以使用 Cloud de Confiance 主控台管理登錄的存取控管。
如要在專案層級設定存取權控管選項,請執行以下操作:
控制台
前往 Cloud de Confiance 控制台的「IAM」(身分與存取權管理)
前往「IAM」(身分與存取權管理) 頁面
從頂端的下拉式選單中選取專案。
按一下「Add」(新增)
在「New principals」(新增主體)
從下拉式選單中選取所需角色:servicedirectory.admin、servicedirectory.editor或 servicedirectory.viewer
按一下 [儲存]
確認列出的主體具備您所授予的角色。
Service Directory 區域會覆寫 IAM 限制
將命名空間指派給 Service Directory 區域後,所有有權查詢私人區域的網路用戶端,都能看到服務名稱。DNS 沒有 IAM 存取控管,因為 DNS 通訊協定不提供驗證功能。
後續步驟
除非另有註明,否則本頁面中的內容是採用創用 CC 姓名標示 4.0 授權 ,程式碼範例則為阿帕契 2.0 授權 。詳情請參閱《Google Developers 網站政策 》。Java 是 Oracle 和/或其關聯企業的註冊商標。
上次更新時間:2026-06-05 (世界標準時間)。
[[["容易理解","easyToUnderstand","thumb-up"],["確實解決了我的問題","solvedMyProblem","thumb-up"],["其他","otherUp","thumb-up"]],[["缺少我需要的資訊","missingTheInformationINeed","thumb-down"],["過於複雜/步驟過多","tooComplicatedTooManySteps","thumb-down"],["過時","outOfDate","thumb-down"],["翻譯問題","translationIssue","thumb-down"],["示例/程式碼問題","samplesCodeIssue","thumb-down"],["其他","otherDown","thumb-down"]],["上次更新時間:2026-06-05 (世界標準時間)。"],[],[]]
